Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Maintenance: Remove transitional flags to complete upgrade to Rails 5.2 #2676

Merged
merged 6 commits into from Oct 22, 2019

Conversation

@kevinrobinson
Copy link
Contributor

kevinrobinson commented Oct 22, 2019

This removes flags that were added as part of the upgrade process to Rails 5.2, in preparation for upgrading to 6.0 next.

It's possible that per_form_csrf_tokens interacts with some JS in a way that wasn't revealed in integration tests, so I'll test this manually on the demo site first.

@kevinrobinson

This comment has been minimized.

Copy link
Contributor Author

kevinrobinson commented Oct 22, 2019

FWIW, I don't think this per-form CSRF flag actually provides additional protection as far as I can tell. The UJS adapter also seems to blow away any per-form tokens and set them all to the global token (eg, https://github.com/rails/rails/blob/b2eb1d1c55a59fee1e6c4cba7030d8ceb524267c/actionview/app/assets/javascripts/rails-ujs/utils/csrf.coffee#L25). The global token seems like it is always also valid based on their test cases (eg, test_accepts_global_csrf_token in https://github.com/rails/rails/blob/99d12b950756c7d2a4afff538bcf04b40eda82bf/actionpack/test/controller/request_forgery_protection_test.rb#L910). Other issues confirm this (see github/rails/rails/32930, closed without a fix).

@kevinrobinson

This comment has been minimized.

Copy link
Contributor Author

kevinrobinson commented Oct 22, 2019

selfie

@kevinrobinson kevinrobinson merged commit d43e1b9 into master Oct 22, 2019
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@kevinrobinson kevinrobinson deleted the cleanup/deprecated-token branch Oct 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.